The protection of the right to privacy and personal data – as set out in article 7 and 8 of the EU Charter on Fundamental Rights – are of great importance to the European External Action Service (EEAS) as a European public administration.

Privacy and data protection have become increasingly important in our daily life, both in private and at work. The rights to privacy and data protection have long been recognised as fundamental rights, and a new regulation Regulation (EU) 2018/1725 applies also to the EEAS when processing personal data. The revised legal framework intends to guarantee a high level of data protection when it comes to collecting and storing personal data for the benefit of EU institutions staff, Union citizens and of our partners in the world. Only 6 months after the entry into force of the General Data Protection Regulation (GDPR) which applies to Member States authorities, NGOs and the private sector, the new legislative act is harmonised with the principles of the GDPR.

To meet its obligations to citizens, the EEAS frequently needs to collect, process and retain personal data, such as names, functions, office addresses, phone numbers, photos or other data, including specific information in relation to individuals in the context of any EEAS activity, including Security, Defence and Crisis response, Public diplomacy, Development cooperation, as well as HR management, IT applications, procurements, conference, meeting and event organisation, budget or other administrative procedures.

Each directorate, division and service within the EEAS and all EU Delegations are required to collect, handle and keep data identifying individuals according to the data protection provisions laid down in the data protection legal framework. The EEAS Data Protection Office is consulted when activities involve such data collection, transmission, transfer or storage. All data of a personal nature provided to the EEAS - namely data which can identify a person directly or indirectly - will be handled with the necessary care.

The EEAS respects these principles for personal data processing set out in the Regulation (EU) 2018/1725, as well as the Regulation EU 2016/679, the General Data Protection Regulation (also known abbreviated as 'the GDPR') that is applicable for EU Member State public authorities, private sector enterprises and NGOs with an impact on any organisation which processes personal data of individuals who are in the Union:Fairness and Transparency: processed lawfully, fairly and in a transparent way

Purpose limitation: collected for specified, explicit and legitimate purposes and not further processed for any incompatible purpose

Data minimisation: adequate, relevant and limited to what is necessary for the purpose

Accuracy: accurate and, where necessary, kept up to date; enabling inaccurate or incomplete data to be corrected or erased

Storage limitation: kept in a form that allows identification for no longer than necessary

Integrity and confidentiality: processed securely including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

Transfer to a Third country is permitted only with appropriate safeguards

The GDPR harmonises data protection requirements across all EU Member States, introducing new rights for data subjects, which apply extraterritorially to any organisation controlling and processing data on natural persons in the European Union.

The EEAS intends to inform people whose personal data is being processed, i.e. any concerned individual whose data has been collected, processed and eventually kept for a period of time. By means of Privacy Statements, the EEAS provides information on the processing and on how to exercise individual rights.

You have the right – free of charge - to:

be informed of any processing of your personal data:

who is in charge of it

what the purpose and the legal bases are

what type of data are being processed

who has access to the collected data

how long it is kept

what logic is used in any automated decision-making process concerning your data.

access and correct your data, when inaccurate or incomplete.

have your data restricted or erased and object to the processing of personal data in certain circumstances (such as when the processing is unlawful, the data is inaccurate)

You may lodge a complaint at any time with the European Data Protection Supervisor (EDPS) who acts as an independent supervisory authority for all the EU devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies on the basis of EU Decision 1247/2002/EC on the regulations and general conditions governing the performance of the European Data Protection Supervisor's duties.

European Data Protection Supervisor (EDPS)

The EDPS:

monitors the EU administration's processing of personal data

advises on policies and legislation that affect privacy

cooperates with similar authorities to ensure consistent data protection.

The Register contains basic information about each record of personal data processing, similarly to the information included in the Privacy Statement:

purpose

controller, processor, data protection officer

type of data involved

legal basis

types of people concerned

how long the data will be kept

to whom the data is disclosed including any transfers

To be able to comply with the provisions of new data protection regulation, the EEAS Register is goes through a migration process If you look for a specific process, you are invited to contact the EAES DPO.

Processing operations that have been prior-checked by the European Data Protection Supervisor under Article 27 of the former data protection Regulation (EC) 45/2001 are included in the register held by the EDPS.

The purpose of the EEAS Data Protection Register and the EDPS Register is to inform the public about the existence of personal data processing operations. All persons concerned may exercise their rights as recognised by the Regulation on the basis of the information contained in the Register and in Data Protection Notices, also known as Privacy Statements.

The Register is based on the records submitted by data controllers along with the relevant Privacy Statements and is therefore available only in the language of the notification, generally in English.

providing advice where requested as regards the necessity for a notification or a communication of a personal data breach as well as related to a data protection impact assessment

being a liaison officer between the EEAS and the European Data Protection Supervisor and provide advice where requested as regards the need for prior consultation as well as to respond to requests from the European Data Protection Supervisor

The Data Protection Office furthermore:

ensures that the principles of personal data protection are applied correctly within the EEAS

manages the notification system of all personal data processing operations in the EEAS